Authentication Mechanism for 5G Technologies

ABSTRACT

Embodiment mutual authentication and security agreement (MASA) protocols may use independently generated integrity and/or encryption keys to securely communicate private information exchanged between UEs and various network-side devices (e.g., base stations, MMEs, HSSs, etc.). In particular, embodiment MASA protocols may use an initial authentication request (IAR) encryption key (KIAR ENC ) to encrypt UE specific information (e.g., an IMSI, etc.) in an IAR message and/or an initial authentication response (IAS) encryption key (KIAS ENC ) to encrypt private information in an IAS message. Additionally, embodiment MASA protocols may use an IAR integrity protection key (KIAR INT ) to verify the integrity of information in an IAR message and/or an IAS integrity protection key (KIAS INT ) to verify the integrity of information in an IAS message. The KIAR ENC , KIAR INT , KIAS ENC , and/or KIAS INT  may be independently computed by the UE and a home subscriber server (HSS).

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/453,776, filed on Mar. 8, 2017 and entitled “Authentication Mechanismfor 5G Technologies,” which claims priority to each of U.S. ProvisionalApplication 62/306,550 entitled “Authentication Mechanism for 5GTechnologies” and filed on Mar. 10, 2016, U.S. Provisional Application62/317,295 entitled “Authentication Mechanism for 5G Technologies” filedon Apr. 1, 2016, U.S. Provisional Application 62/383,223 entitled“Systems and Methods for Integrity Protecting Serving Network Messages”and filed on Sep. 2, 2016, U.S. Provisional Application 62/399,069entitled “System and Method for 5G MASA using 4G USIM” and filed on Sep.23, 2016, and U.S. Provisional Application 62/399,055 entitled “Systemand Method for Negotiating UE Security Capabilities with 3GPP NextGeneration Network” filed on Sep. 23, 2016, all of which areincorporated by reference herein as if reproduced in their entireties.

TECHNICAL FIELD

The present invention relates generally to wireless telecommunications,and, in particular embodiments, to a system and method forauthentication mechanisms for 5G technologies while providing privacy tosubscriber and UE permanent identifiers.

BACKGROUND

Modern wireless networks typically include various security features toprevent unauthorized third parties from access and/or manipulating data.In particular, long term evolution (LTE) networks provide three basicsecurity features, namely: LTE authentication, non-access stratum (NAS)security, and access stratum (AS) security. The LTE authenticationfeature ensures that a user is an authorized subscriber to the network(or network service) that the user is attempting to access, while theNAS security and AS security features ensure that control and user datacommunicated over a radio access network (RAN) is secure at the NAS andAS levels, respectively.

SUMMARY

Technical advantages are generally achieved, by embodiments of thisdisclosure which describe authentication mechanisms for 5G technologies.

In accordance with an embodiment, a method for secure authentication isprovided. In this example, the method includes generating a firstintegrity key based at least on a pre-provisioned key (K key) of the UEand a first random number (RAND₁), and generating a messageauthentication code (MAC) signature by computing a hash function of UEspecific information using the first integrity key. The UE specificinformation includes at least an International Mobile SubscriberIdentity (IMSI) of the UE and the RAND₁. The method further includesencrypting the UE specific information and the MAC signature using apublic key to form an encrypted portion, and sending an initialauthentication request message to a base station in a serving network.The initial authentication request message carrying the encryptedportion and an unencrypted network identifier. An apparatus forperforming this method is also provided.

In accordance with another embodiment, another method for secureauthentication is provided. In this example, the method includesreceiving a user authentication information request message from amobility management entity (MME) in a serving network that includes ahome network identifier (HID) and an encrypted portion, and decryptingthe encrypted portion using a home network private key associated withthe HID to obtain user equipment (UE) specific information and a firstMessage authentication code (MAC) signature. The UE specific informationincludes at least an International Mobile Subscriber Identity (IMSI) ofthe UE and a first random number (RAND₁). The method further includesobtaining a first integrity key based on the IMSI of the UE and theRAND₁, and verifying the integrity of the user authenticationinformation request message. Verifying the integrity of the userauthentication information request message comprises generating a secondMAC signature by computing a hash function of UE specific informationusing the first integrity key, and comparing the second MAC signaturewith the first MAC signature to determine whether the UE specificinformation originated from the UE. An apparatus for performing thismethod is also provided.

In accordance with yet another embodiment, yet another method for secureauthentication is provided. In this example, the method includesgenerating a first encryption key based on a pre-provisioned key of theUE and a first random number (RAND₁), encrypting at least anInternational Mobile Subscriber Identity (IMSI) of the UE and the RAND₁using the first encryption key to form an encrypted inner portion,encrypting at least the inner portion, the RAND₁, and the IMSI using apublic key to form an encrypted outer portion, and sending an initialauthentication request message to a base station in a serving network.The initial authentication request message carries the encrypted outerportion and an unencrypted network identifier. An apparatus forperforming this method is also provided.

In accordance with yet another embodiment, yet another method for secureauthentication is provided. In this example, the method includesreceiving an initial authentication request message from a userequipment (UE) that includes an encrypted outer portion and anunencrypted network identifier, decrypting the encrypted outer portionusing a private key associated with the serving network to obtain anInternational Mobile Subscriber Identity (IMSI) of the UE, a firstrandom number (RAND₁), and an encrypted inner-portion, and sending anauthentication and data request message to a home subscriber server(HSS) in a home network of the UE. The authentication and data requestmessage includes at least the IMSI, RAND₁, and the encrypted innerportion. An apparatus for performing this method is also provided.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present disclosure, and theadvantages thereof, reference is now made to the following descriptionstaken in conjunction with the accompanying drawings, in which:

FIG. 1 is a diagram of an embodiment wireless communications network;

FIG. 2 is a diagram of a 5G network architecture;

FIG. 3 is a protocol diagram of a conventional communications sequencefor authenticating a UE in a wireless network;

FIG. 4 is a protocol diagram of an embodiment communications sequencefor authenticating a UE in a wireless network;

FIG. 5 is a diagram of embodiment frame formats for messages exchangedduring the embodiment communications sequence depicted by FIG. 4;

FIG. 6 is a diagram of additional embodiment frame formats for messagesexchanged during the embodiment communications sequence depicted by FIG.4;

FIG. 7 is a flow chart of an embodiment method for generating an initialauthentication request (IAR) message according to a MASA protocol;

FIG. 8 is a flow chart of an embodiment method for processing anauthentication and data request message and generating an authenticationand data response message according to a MASA protocol;

FIG. 9 is a flowchart of an embodiment method for processing anauthentication and data response message and generating an initialauthentication response (IAS) message according to a MASA protocol;

FIG. 10 is a flowchart of an embodiment method for processing an IASmessage according to a MASA protocol;

FIG. 11 is a protocol diagram of another embodiment communicationssequence for authenticating a UE in a wireless network;

FIG. 12 is a diagram of embodiment frame formats for messages exchangedduring the embodiment communications sequence depicted by FIG. 11;

FIG. 13 is a flow chart of an embodiment method for generating an IARmessage according to a MASA protocol;

FIG. 14 is a flow chart of an embodiment method for processing anauthentication and data request message and generating an authenticationand data response message according to a MASA protocol;

FIG. 15 is a flowchart of an embodiment method for processing anauthentication and data response message and generating an IAS messageaccording to a MASA protocol;

FIG. 16 is a flowchart of an embodiment method for processing an IASmessage according to a MASA protocol;

FIG. 17 is a protocol diagram of yet another embodiment communicationssequence for authenticating a UE in a wireless network;

FIG. 18 is a diagram of embodiment frame formats for messages exchangedduring the embodiment communications sequence depicted by FIG. 17;

FIG. 19 is a flow chart of an embodiment method for generating an IARmessage according to a MASA protocol;

FIG. 20 is a flowchart of an embodiment method for processing an IARmessage and generating an authentication and data request messageaccording to a MASA protocol;

FIG. 21 is a flow chart of an embodiment method for processing anauthentication and data request message and generating an authenticationand data response message according to a MASA protocol;

FIG. 22 is a diagram of an embodiment frame formats for an IAR message;

FIG. 23 is a diagram of an embodiment processing system; and

FIG. 24 is a diagram of an embodiment transceiver.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

The making and using of embodiments of this disclosure are discussed indetail below. It should be appreciated, however, that the conceptsdisclosed herein can be embodied in a wide variety of specific contexts,and that the specific embodiments discussed herein are merelyillustrative and do not serve to limit the scope of the claims. Further,it should be understood that various changes, substitutions andalterations can be made herein without departing from the spirit andscope of this disclosure as defined by the appended claims. While theinventive aspects are described primarily in the context of 5G wirelessnetworks, it should also be appreciated that those inventive aspects mayalso be applicable to 4G and 3G wireless networks.

The LTE authentication and NAS security protocols are usually performedsequentially, during which time mutual authentication is establishedbetween the UE and the serving network and NAS layer encryption keys aregenerated. In particular, a UE sends an International Mobile SubscriberIdentity (IMSI) to a mobility management entity (MME) in a servingnetwork. The MME then sends the IMSI to a home subscriber server (HSS)in a home network of the UE, which generates Evolved Packet System (EPS)authentication vectors. The EPS authentication vectors are thencommunicated to the MME, where they are used to authenticate the UE andgenerate NAS layer encryption keys in accordance with an authenticationand key agreement (AKA) procedure. Thereafter, the NAS layer encryptionkeys are used to encrypt signaling exchanged between the UE and the MME.

When using conventional LTE authentication protocols, an unencryptedIMSI is communicated from the UE to the access point. This creates apotential security vulnerability because the IMSI is private informationthat can be exploited by malicious third parties to engage inunauthorized activities, such as tracking the UE and/or engaging denialof service attacks. Accordingly, techniques for securely communicatingthe IMSI during LTE authentication are desired.

Aspects of this disclosure provide embodiment mutual authentication andsecurity agreement (MASA) protocols that use independently generatedintegrity and/or encryption keys to securely communicate privateinformation exchanged between UEs and various network-side devices(e.g., base stations, MMEs, HSSs, etc.). In particular, embodiment MASAprotocols may use an initial authentication request (IAR) encryption key(KIAR_(ENC)) to encrypt UE specific information (e.g., an IMSI, etc.) inan IAR message and/or an initial authentication response (IAS)encryption key (KIAS_(ENC)) to encrypt private information in an IASmessage. Additionally, embodiment MASA protocols may use an IARintegrity protection key (KIAR_(INT)) to verify the integrity ofinformation in an IAR message and/or an IAS integrity protection key(KIAS_(INT)) to verify the integrity of information in an IAS message.The KIAR_(ENC), KIAR_(INT), KIAS_(ENC), and/or KIAS_(INT) may beindependently computed by the UE and a home subscriber server (HSS)based on, for example, a pre-provisioned key (K-key) of the UE and oneor more random numbers (e.g., RAND₁, RAND₂, UE random number(RAND_(UR)), home network random number (RAND_(HN)), and/or a COUNTER.Using a COUNTER to compute an instance of a given key may be useful inensuring that each generated instance of the key differs from previousgenerated instances of the key, as it is possible that the same randomnumber could be selected to generate different instances of a key, whichcould constitute a security vulnerability.

Different levels of encryption and/or integrity protection can beachieved depending on the complexity of the embodiment MASA protocol. Inone embodiment, a low complexity MASA protocol use integrity keys (e.g.,a KIAR_(INT) and/or a KIAS_(INT)) to provide integrity protection whencommunicating IAR and/or IAS messages having a single layer ofencryption protection. In particular, a UE may encrypt UE specificinformation (e.g., an IMSI, random numbers, etc.) using a home networkpublic key (HPuK) to form an encrypted portion, and then generate amedia access control (MAC) signature by computing a hash function of theencrypted portion, and potentially additional information (e.g., arandom number) in an outer portion of the IAR message, using aKIAR_(INT). The UE may then send an IAR message carrying the encryptedportion and the MAC signature to a base station in a serving network,which may relay the IAR message to an MME. The MME may encapsulate theIAR message into a user authentication data request message, which maythen be sent to a home subscriber server (HSS) in the UE's home network.The HSS may independently compute a MAC signature of the contents of theIAR message based on an independently generate integrity key (e.g., theKIAR_(INT)), and then compare the independently generated MAC signaturewith the MAC signature included in the IAR message to verify theintegrity of the encrypted portion of the IAR message. A similarprocedure can be used to provide integrity protection for the IASmessage.

In another embodiment, a higher complexity MASA protocol uses encryptionkeys (e.g., KIAR_(ENC) and/or KIAS_(ENC)) in conjunction with the homenetwork public-private key pair to provide two layers of encryption forthe contents of IAR and/or IAS messages. In particular, a UE may use apre-provisioned key and a first random number (RAND₁) to generate aninitial authentication request encryption key (KIAR_(ENC)). TheKIAR_(ENC) is then used to encrypt private information to form anencrypted inner portion of an authentication request message. Theprivate information may include the IMSI of the UE, the RAND₁, a secondrandom number (RAND₂), UE-Security-Capabilities, and/or a counter. Next,the UE may encrypt the RAND₁, the IMSI, and the encrypted inner portionto obtain an encrypted outer portion of the authentication requestmessage. Other information may also be encrypted when generating theencrypted outer portion. The public key used to generate the encryptedouter portion may belong to a private-public-key-pair. In oneembodiment, the public key is a home network public key (HPuK). Inanother embodiment, the public key is a serving network public key(SPuK). Thereafter, the UE may send the authentication request messagecarrying the encrypted outer portion and an unencrypted networkidentifier to an MME in the serving network. If the public key used togenerate the encrypted outer portion was a SPuK, then the unencryptednetwork identifier in the authentication request message may be aserving network identifier (SID). In that case, the MME may use aserving network private key to decrypt the encrypted outer portion andobtain the RAND₁, the IMSI, and the encrypted inner portion, which maythen be forwarded to a home subscriber server (HSS) in a home network ofthe UE. Alternatively, if the public key used to generate the encryptedouter portion was a HPuK, then the unencrypted network identifier in theauthentication request message may be a home network identifier (HID).In that case, the MME would send an authentication and data requestcarrying the encrypted outer portion, along with the HID, MME securitycapability identifiers, to the HSS in the home network. The HSS wouldthen decrypt the encrypted outer portion using a home network privatekey and obtain the RAND₁, the IMSI, and the encrypted inner portion.

In both cases, the HSS would then use the RAND₁ and a K key associatedwith the UE to independently generate the KIAR_(ENC), which the HSSwould subsequently use to decrypt the encrypted inner portion. The HSSwould then verify that IMSI in the decrypted inner portion matched theIMSI in the decrypted outer portion to verify that the encrypted outerportion had not been tampered with by an unauthorized third party.Thereafter, the HSS may verify that the counter in the decrypted innerportion matched a counter maintained by the HSS initial authenticationrequest (IAR) was fresh (i.e., not stale). If the validations weresuccessful, then the HSS may generate an initial authentication responseencryption key (KIAS_(ENC)) based on the RAND₂ and the K key associatedwith the IMSI. The HSS may also generate one or more authenticationvectors. The HSS may then send an initial authorization and dataresponse to the MME that includes the KIAS_(ENC) and the authenticationvectors. In some embodiments, the initial authorization and dataresponse includes a UE security capability parameter. The MME may thenselect one of the authentication vectors, as well as a non-accessstratum (NAS) ciphering algorithm. The MME may also assign a temporarynetwork identifier (e.g., a globally unique temporary identifier (GUTI))to the UE. Thereafter, the MME may encrypt the KIAS_(ENC), the temporarynetwork identifier, and a key set identifier (KSI) associated with theselected NAS ciphering algorithm using the KIAS_(ENC) to obtainencrypted NAS security data. The encrypted NAS security data may includeother information as well, such as the counter and the RAND₂. The MMEmay then send an initial authentication and data response to the UEcarrying the encrypted NAS security data as well as an unencryptedRAND₂. The UE may then independently generate the KIAS_(ENC) based onthe RAND2 and the K key. The UE may then generate a ciphering key usingthe NAS ciphering algorithm associated with the KSI in the decrypted NASsecurity data. The UE may then return a security authentication completemessage to the MME, confirming that the serving network has beenauthenticated. Encrypting the IMSI, as well as the temporary network ID,in the manner described herein allows that information to be securelyexchanged during LTE authentication and NAS security protocols.Additionally, the embodiment procedures described herein reduce thenumber of messages exchanged between the UE and the base station duringLTE authentication and NAS security protocols. These and other detailsare discussed in greater detail below.

FIG. 1 illustrates a network 100 for communicating data. The network loocomprises a base station no having a coverage area 101, a plurality ofmobile devices 115, and a backhaul network 130. As shown, the basestation no establishes uplink (dashed line) and/or downlink (dottedline) connections with the mobile devices 115, which serve to carry datafrom the mobile devices 115 to the base station no and vice-versa. Datacarried over the uplink/downlink connections may include datacommunicated between the mobile devices 115, as well as datacommunicated to/from a remote-end (not shown) by way of the backhaulnetwork 130. As used herein, the term “base station” refers to anycomponent (or collection of components) configured to provide wirelessaccess to a network, such as an enhanced base station (eNB), amacro-cell, a femtocell, a Wi-Fi access point (AP), or other wirelesslyenabled devices. Base stations may provide wireless access in accordancewith one or more wireless communication protocols, e.g., long termevolution (LTE), LTE advanced (LTE-A), High Speed Packet Access (HSPA),Wi-Fi 802.11a/b/g/n/ac, etc. As used herein, the term “mobile device”refers to any component (or collection of components) capable ofestablishing a wireless connection with a base station, such as a userequipment (UE), a mobile station (STA), and other wirelessly enableddevices. In some embodiments, the network loo may comprise various otherwireless devices, such as relays, low power nodes, etc.

FIG. 2 illustrates a network architecture 200 for a 5G LTE wirelessnetwork. As shown, the network architecture 200 includes a radio accessnetwork (RAN) 201, an evolved packet core (EPC) 202, and a home network203 of a UE 215 attempting to access the RAN 201. The RAN 201 and theEPC 202 form a serving wireless network. The RAN 201 includes a basestation 210, and the EPC 202 includes a mobility management entity (MME)220, a serving gateway (SGW) 222, and a packet data network (PDN)gateway (PGW) 224. The MME 220 is the termination point in the networkfor ciphering/integrity protection for NAS signaling and handles thesecurity key management. It should be appreciated that the term “MME” isused in 4G LTE networks, and that 5G LTE networks may include a SecurityAnchor Node (SEAN) or a Security Access Function (SEAF) that performssimilar functions. The terms “MME,” “SEAN,” and “SEAF” are usedinterchangeably throughout this document. The MME 220 also provides thecontrol plane function for mobility between LTE and 2G/3G accessnetworks, as well as an interface to home networks of roaming UEs. TheSGW 222 routes and forwards user data packets, while also acting as amobility anchor for the user plane during handovers. The PGW 224provides connectivity from UEs to external packet data networks by beingthe point of exit and entry of traffic for the UEs. The HSS 230 is acentral database that contains user-related and subscription-relatedinformation.

Conventional LTE authentication protocols communicate an unencryptedIMSI of the UE over the radio access network, which presents securityvulnerability. FIG. 3 illustrates a protocol diagram of a conventionalcommunications sequence 300 for authenticating the UE 215 in a wirelessnetwork. As shown, the communications sequence 300 begins when the MME220 communicates an identity request 310 to the UE 215. Next, the UE 215communicates an identity response 320 to the MME 220. The identityresponse 320 includes an unencrypted IMSI of the UE 215. Thereafter, theMME 220 communicates an authorization data request 330 to the HSS 230.The authorization data request 330 may include the IMSI. The HSS 230then computes EPS authentication vectors, and sends an authorizationdata response 335 carrying the EPS authentication vectors to the MME220. Subsequently, the MME 220 communicates a user authenticationrequest 340 to the UE 215. The user authentication request 340 includesa random number (RAND) and an authentication parameter (AUTN). The UE215 computes an authentication response (RES) based on the RAND, AUTN,and a secret key. The secret key may be a priori information to the UE215. For example, the secret key (e.g., a subscriber-specific master key(K)) may be stored in a Universal Subscriber Identity Module (USIM) ofthe UE 215. The UE 215 may then send a user authentication response 350carrying the authentication response (or RES) to the MME 220.

Thereafter, the MME 220 communicates a security mode command message 360to the UE 215. The security mode command message 360 may indicate anintegrity protection algorithm and a ciphering algorithm. The UE 215 mayuse the integrity protection algorithm to verify the integrity of thesecurity mode command message 360. After verifying the integrity of thesecurity mode command message 360, the UE 215 uses the cipheringalgorithm to derive NAS encryption keys. The UE 215 then sends thesecurity mode complete message 370 to the MME 220 to verify that the UE215 validated the security mode command message 360, and derived the NASencryption keys.

In some instances, a third party may eavesdrop on the communicationssequence 300 in an attempt to intercept one or more of the messages310-370. If the identity response 320 is intercepted, then the thirdparty may use the unencrypted IMSI to perform unauthorized activities,such as to track the UE 215.

Aspects of this disclosure prevent, or at least inhibit, unauthorizedthird parties from obtaining an IMSI of a UE during LTE authenticationby encrypting the IMSI using a public key. The public key may be a partof a public-private key pair such that information encrypted with thepublic key can only be decrypted with the private key. In one example,the public key is a home network public key, and the encrypted IMSI isdecrypted by an HSS in the home network of the UE using a home networkprivate key. In such an example, the home network public key may be apriori information of the UE, e.g., the home network public key may bestored in a USIM of the UE. In another example, the public key is aserving network public key (SPuK), and the encrypted IMSI is decryptedby an MME in the serving network using a serving network private key.Other examples are also possible.

FIG. 4 illustrates a protocol diagram of an embodiment communicationssequence 400 for authenticating a UE 215 in a wireless network. Asshown, the communications sequence 400 begins when the MME 220communicates an identity request 410 to the UE 215. Upon receiving theidentity request 410, the UE 215 generates a MAC signature by computinga hash of UE specific information (e.g., an IMSI, a RAND₁, etc.) using aKIAR_(INT), and then encrypts the UE specific information along with theMAC signature using a HPuK to obtain an encrypted portion. The UE 215sends an initial authentication request (IAR) message 420 carrying theencrypted portion to the base station 210, which relays the IAR message420 to the MME 220. The IAR message 420 may also include a unencryptedhome network ID (HID) of the home network of the UE 215.

Upon receiving the IAR message 420, the MME 220 may identify the homenetwork of the UE 215 based on the unencrypted HID, and communicate anauthentication and data request message 430 to the HSS 230 in theidentified home network. Upon receiving the authentication and datarequest message 430, the HSS 230 may decrypt encrypted portion using aHPrK, and verify the integrity of the encrypted portion based on the MACsignature. In one example, the HSS 230 independently generates a MACsignature by computing a hash of the information in the authenticationand data request message 430 using an independently generated integritykey (e.g., a KIAR_(INT)), and then compares the independently generatedMAC signature with the MAC signature carried by the encrypted portion inthe authentication and data request 430. The HSS 230 may also takefurther steps to validate the encrypted portion. For example, the HSS230 may verify that a COUNTER in the encrypted portion of theauthentication and data request message 430 (e.g., a counter originallyin the IAR message 420) exceeds an independent COUNTER maintained by theHSS 230 in order to confirm that the encrypted portion in theauthentication and data request message 430 is fresh (e.g., not stale).If the encrypted portion is stale, then it may have been intercepted bya malicious man-in-the-middle entity.

After verifying the integrity of the encrypted portion(s), the HSS 230may generate authentication vectors based on an EPS-AKA procedure, andsend an authentication and data response message 435 carrying the EPSauthentication vectors to the MME 220. The authentication and dataresponse message 435 may include other information in addition to theEPS authentication vectors, such as integrity/encryption keys (e.g., aKIAS_(INT), KIAS_(ENC), etc.), the IMSI of the UE, a COUNTER, and/or aUE security capabilities. The UE security capabilities may indicateprotocol capabilities supported by the UE, such as,for example, NASciphering algorithms supported by the UE.

The MME 220 may then send an initial authentication response (IAS)message 450 to the UE 215. The IAS message 450 may have variousdifferent frame formats, and the contents of the IAS message 450 mayvary depending on the frame format being used. In one example, the IASmessage 450 includes encrypted NAS security data and a key setidentifier (KSI) associated with a NAS ciphering algorithm. The UE 215may use the NAS ciphering algorithm along with an independentlygenerated encryption key (e.g., a KIAS_(ENC)) to decrypt the encryptedNAS security data. After decrypting the encrypted NAS security data, theUE 215 may send a security and authentication complete message 470 tothe MME 220.

As mentioned above, the IAR message 420, the authentication and datarequest message 430, the user authentication information responsemessage 435, and the IAS message 450 may have various different frameformats. FIG. 5 illustrates frame formats for an embodiment IAR message520, an embodiment authentication and data request message 530, anembodiment authentication and data response message 535, and anembodiment IAS message 550.

The embodiment IAR message 520 corresponds to the IAR message 420 sentfrom the UE 215 to the MME 220. In this example, the embodiment IARmessage 520 includes UE Specific information (UE_info), a MAC signature,and a home network identifier (HID). The UE_info may include variousinformation associated with, or generated by, the UE, including (but notlimited to) an IMSI, one or more random numbers (e.g., RAND₁, RAND₂,etc.), a counter, and/or UE security capability parameters. The MACsignature may be generated by computing a hash function of the UE_infoaccording to an integrity key (e.g., a KIAR_(INT)) and/or a randomnumber (e.g., RAND₁). The MAC signature and the UE_info are encryptedusing a HPuK to form an encrypted portion 522 of the embodiment IARmessage 520.

The embodiment authentication and data request message 530 correspondsto the authentication and data request message 430 sent from the MME 220to the HSS 230. As shown, the embodiment authentication and data requestmessage 530 includes the embodiment IAR message 520 and an HID.

The embodiment authentication and data response message 535 correspondsto the authentication and data response message 435 sent from the HSS230 to the MME 220. As shown, the user authentication informationresponse message 535 includes UE_info (e.g., an IMSI, counter, RAND₁,RAND₂, UE security capabilities, etc.), as well as authenticationvectors (AVs), a KIAS_(ENC), and a KIAS_(INT).

The embodiment JAS message 550 corresponds to the JAS message 450 sentfrom the MME 220 to the UE 215. As shown, the JAS message 450 includesan encrypted inner portion 552, an outer portion 554, and a MAC 556. Theencrypted inner portion 552 is formed by encrypting the AVs using aKIAS_(ENC). It should be appreciated that the encrypted inner portion552 may include other information (e.g., a KSI) in addition to the AVs.The outer portion 554 includes a RAND₂ and the encrypted inner portion552. The MAC signature 556 is generated by computing a hash of the outerportion 554 using the KIAS_(INT).

Other frame formats are also possible. FIG. 6 illustrates frame formatsfor an embodiment IAR message 620, an embodiment authentication and datarequest message 630, an embodiment authentication and data responsemessage 635, and an embodiment IAS message 650.

The embodiment IAR message 620 corresponds to the IAR message 420 sentfrom the UE 215 to the MME 220. In this example, the embodiment IARmessage 620 includes an encrypted portion 622 and a home networkidentifier (HID). The encrypted portion 622 is generated by using anHPuK to encrypt a UE security capability parameter (UE_SEC_CAP), anIMSI, a RAND₁, a RAND₂, a COUNTER, and a MAC signature. The MACsignature is generated by computing by using a KIAR_(INT) to compute ahash of the UE_SEC_CAP, the IMSI, the RAND₁, the RAND₂, and the COUNTER.

The embodiment authentication and data request message 630 correspondsto the authentication and data request message 430 sent from the MME 220to the HSS 230. As shown, the embodiment authentication and data requestmessage 630 includes the embodiment IAR message 620 and an HID.

The embodiment authentication and data response message 635 correspondsto the authentication and data response message 435 sent from the HSS230 to the MME 220. As shown, the authentication and data responsemessage 635 includes a KIAS_(ENC), a KIAS_(INT), AV(s), a UE_SEC_CAP, anIMSI, a RAND₁, a RAND₂, and a COUNTER.

The embodiment JAS message 650 corresponds to the JAS message 450 sentfrom the MME 220 to the UE 215. As shown, the JAS message 450 includesan encrypted inner portion 652, an outer portion 654, and a MACsignature 656. The encrypted inner portion 652 is formed by encrypting aKSI, and a RAND∥AUTN using the KIAS_(ENC). The RAND∥AUTN may specify twoor more parameters included in, or derived by the AVs, and may be usedby the UE to authenticate the network and generate a response, e.g., thesecurity and authentication complete message 470, etc. It should beappreciated that the encrypted inner portion 652 may include other UEspecific information. The outer portion 654 includes a RAND2 and theencrypted inner portion 652. The MAC signature 656 is generated bycomputing a hash of the outer portion 654 using the KIAS_(INT).

Embodiments of this disclosure provide methods for performing MASAprotocols. FIG. 7 is a flowchart of an embodiment method 700 forgenerating an IAR message according to a MASA protocol, as may beperformed by a UE. At step 710, the UE generates a KIAR_(INT) based on apre-provisioned key (K key) and a first random number (RAND1). At step720, the UE generates a MAC signature by computing a hash function of UEspecific information using the KIAR_(INT). The UE specific informationincludes at least an IMSI of the UE and the RAND1. At step 730, the UEencrypts the UE specific information and the MAC signature using a homenetwork public key (HPuK) to form an encrypted portion. The HPuK belongsto a public-private key pair such that the encrypted portion can only bedecrypted using a home network private key (HPrK) belonging to thepublic-private key pair. At 740, the UE sends an IAR message carryingthe encrypted portion and an unencrypted home network identifier (HID)to a base station in a serving network. The base station relays the IARmessage to an MME, which sends an authentication and data requestmessage that includes the encrypted portion of the IAR message to an HSSserver in a home network associated with the unencrypted networkidentifier in the IAR message.

FIG. 8 is a flowchart of an embodiment method 800 for processing anauthentication and data request message and generating an authenticationand data response message according to a MASA protocol, as may beperformed by an HSS. At step 810, the HSS receives an authentication anddata request message from a mobility management entity (MME) in aserving network. The authentication and data request message carries anencrypted portion.

At step 820, the HSS decrypts the encrypted portion using a HPrK toobtain a first MAC signature and UE-specific information. TheUE-specific information includes at least an IMSI and a RAND₁. At step830, the HSS obtains a KIAR_(INT) based on the IMSI and the RAND₁. Inone example, the HSS obtains the KIAR_(INT) by sending the IMSI and theRAND₁ to an authentication server, which looks up a pre-provisioned key(K-key) based on the IMSI, generates the KIAR_(INT) based on the K-keyand the RAND₁, and returns the KIAR_(INT) to the HSS. At step 840, theHSS verifies the integrity of the encrypted portion based on theKIAR_(INT). In particular, the HSS generates a second MAC signature bycomputing a hash of UE-specific information in the encrypted portionaccording to the KIAR_(INT), and then compares the second MAC signaturewith the first MAC signature. If the MAC signatures match, then theintegrity of the encrypted portion is verified.

At step 850, the HSS generates authentication vectors (AVs) based on anEPS-AKA procedure. At step 860, the HSS obtains a KIAS_(INT) and aKIAS_(ENC) based on the IMSI of the UE and a RAND2. In one example, theHSS obtains the KIAS_(INT) and the KIAS_(ENC) by sending the IMSI andthe RAND2 to an authentication server. The authentication server looksup a pre-provisioned key (K-key) based on the IMSI, generates theKIAS_(INT) and the KIAS_(ENC) based on the K-key and the RAND2, andreturns the KIAS_(INT) and the KIAS_(ENC) to the HSS. In someembodiments, steps 830 and 860 are performed in parallel such that theIMSI, RAND₁, and RAND2 are sent from the HSS to the authenticationserver in the same request message, and the KIAR_(INT), KIAS_(ENC), andKIAS_(INT) are returned from the authentication server to the HSS in thesame response message. At step 870, the HSS sends an authentication anddata response message to the MME. The authentication and data responsemessage includes the KIAS_(INT), the KIAS_(ENC), the AVs, and UE_info.In some embodiments, a COUNTER is also used when generating KIAR_(INT),KIAS_(INT), and KIAS_(ENC).

FIG. 9 is a flowchart of an embodiment method 900 for processing anauthentication and data response message and generating an IAS messageaccording to a MASA protocol, as may be performed by an MME. At step910, the MME receives an authentication and data response message froman HSS that includes a KIAS_(INT), a KIAS_(ENC), AVs, and user specificinformation. The user specification information may include a UEsecurity capabilities parameter, an IMSI, a RAND2, and/or a COUNTER.

At step 920, the MME encrypts the user specific information using theKIAS_(ENC) to obtain an encrypted portion. At step 930, the MMEgenerates a MAC signature by computing a hash of the encrypted portionand the RAND2 based on the KIAS_(INT). At step 940, the MME sends an IASmessage to a UE that includes at least the encrypted portion, the RAND2,and MAC signature.

FIG. 10 is a flowchart of an embodiment method woo for processing an IASmessage according to a MASA protocol, as may be performed by a UE. Atstep 1010, the UE receives an IAS message from a base station in aserving network. The IAS message includes at least an encrypted portion,a RAND2, and a first MAC signature. At step 1020, the UE computes aKIAS_(INT) and a KIAS_(ENC) based on a K-key of UE and the RAND2. Insome embodiments, step 1020 and 720 may be performed in parallel (e.g.,by a SIM card in the UE) prior to sending an initial IAR message. Atstep 1030, the UE generates a second MAC signature by computing a hashof the encrypted portion and the RAND2 based on the KIAS_(INT). At step1040, the UE verifies that the second MAC signature matches the firstMAC signature in the IAS message. At step 1050, the UE decrypts theencrypted portion using the KIAS_(ENC). At step 1060, the UE sends asecurity and authentication complete message to the MME confirming thatthe network has been authenticated.

Aspects of this disclosure prevent, or at least inhibit, unauthorizedthird parties from obtaining an IMSI of a UE during LTE authenticationby encrypting the IMSI using a KIAR_(ENC). FIG. 11 illustrates aprotocol diagram of an embodiment communications sequence 1100 forauthenticating a UE in a wireless network. As shown, the communicationssequence 1100 begins when the MME 220 communicates an identity request1110 to the UE 215. Next, the UE 215 encrypts a first copy of the IMSIusing a KIAR_(ENC) to form an encrypted inner portion, and encrypts asecond copy of the IMSI and the encrypted inner portion using an HPuK toform an encrypted outer portion. It should be appreciated that other UEspecific information (e.g., RAND1, RAND2, COUNTER, UE_SEC_CAP, etc.) maybe encrypted along with the IMSI when forming the encrypted innerportion and/or the encrypted outer portion. Thereafter, the UE sends anIAR message 1120 carrying the encrypted outer portion to the MME 220. Insome embodiments, the UE 215 sends the IAR message 1120 without havingreceived the identity request 1110. The IAR message 1120 may include anunencrypted home network ID (HID) of the home network of the UE 215.Upon receiving the IAR message 1120, the MME 220 forwards anauthentication and data request message 1130 carrying the encryptedouter portion to the HSS 230. The authentication and data requestmessage 1130 may include other information in addition to the encryptedouter portion, such as MME security capability parameters that identifythe NAS security capabilities of the MME 220, e.g., which NAS cipheringalgorithms are supported by the MME 220. The authentication and datarequest 1130 may also include a serving network identifier (SID) andnetwork type (NWK Type) of the serving network of the MME 220.

Upon receiving the authentication and data request message 1130, the HSS230 may decrypt the encrypted outer portion using a HPrK to obtain thesecond copy of the IMSI and the encrypted inner portion. The HSS 230 maythen decrypt the encrypted inner portion using the KIAR_(ENC) to obtainthe first copy of the IMSI. In some embodiments, the HSS 230 validatesthe authentication and data request message 1130 by comparing the firstcopy of IMSI with the second copy of the IMSI. The HSS 230 may alsocompare the COUNTER with a corresponding COUNTER maintained by the HSS230 to determine whether the authentication and data request 1130 isfresh (e.g., not stale). If the validation is successful, then the HSS230 generates authentication vectors based on an EPS-AKA procedure, andsends an authentication and data response message 1135 carrying the EPSauthentication vectors and a KIAS_(ENC) to the MME 220.

Subsequently, the MME 220 selects one of the authentication vectors, aswell as a non-access stratum (NAS) ciphering algorithm. The MME 220 mayalso assign a temporary network identifier (e.g., a globally uniquetemporary identifier (GUTI)) to the UE. Thereafter, the MME 220 mayencrypt, the temporary network identifier, and a key set identifier(KSI) associated with the selected NAS ciphering algorithm using theKIAS_(ENC) to obtain encrypted NAS security data. The encrypted NASsecurity data may include other information as well, such as the counterand the RAND2. The encrypted NAS security data may be included in theIAS message 1150 sent by the MME 220 to the UE 215. The IAS message 1150may further include an unencrypted version of the RAND2 . The UE 215 mayauthenticate the network by comparing RAND2 to a local version of RAND2stored by the UE 215 and by decrypting the encrypted private informationof the Authentication Response using the KIAS_(ENC) key. The UE 215 thensends a security and authentication complete message 1170 to the MME220.

FIG. 12 illustrates frame formats for an embodiment IAR message 1220, anembodiment authentication and data request message 1230, an embodimentauthentication and data response message 1235, and an embodiment IASmessage 1250.

The embodiment IAR message 1220 corresponds to the IAR message 1120 sentfrom the UE 215 to the MME 220. In this example, the embodiment IARmessage 1220 includes an encrypted inner portion 1222, an encryptedouter portion 1224, and an HID. The encrypted inner portion 1222 isformed by encrypting a UE_SEC_CAP, a first copy of an IMSI, a first copyof a RAND1, a RAND2, and a COUNTER using a KIAR_(ENC). The encryptedouter portion 1224 is generated by encrypting the encrypted innerportion 1222 along with a second copy of the IMSI and a second copy ofthe RAND1 using a HPuK. It should be appreciated that additionalinformation may be included in the encrypted inner portion 1222 and/orthe encrypted outer portion 1224.

The embodiment authentication and data request message 1230 correspondsto the authentication and data request message 1130 sent from the MME220 to the HSS 230. As shown, the embodiment authentication and datarequest message 1230 includes the embodiment IAR message 1220 and anHID.

The embodiment authentication and data response message 1235 correspondsto the authentication and data response message 1135 sent from the HSS230 to the MME 220. As shown, the authentication and data responsemessage 1235 includes a KIAS_(ENC), the UE_SEC_CAP, the IMSI, the RAND2,and the COUNTER.

The embodiment IAS message 1250 corresponds to the IAS message 1150 sentfrom the MME 220 to the UE 215. As shown, the IAS message 1150 includesan encrypted portion 1252 and the RAND2. The encrypted portion 1252 isformed by encrypting a KSI, the AVs, and the COUNTER using theKIAS_(ENC).

Embodiments of this disclosure provide methods for performing MASAprotocols. FIG. 13 is a flowchart of an embodiment method 1300 forgenerating an IAR message according to a MASA protocol, as may beperformed by a UE. At step 1310, the UE generates a KIAR_(ENT) based ona pre-provisioned key (K key) and a RAND1. At step 1320, the UE encryptsUE specific information using the KIAR_(ENC) to form an encrypted innerportion. At step 1330, the UE encrypts at least the encrypted innerportion, a RAND1, and an IMSI using an HPuK to form an encrypted outerportion. At step 1340, the UE sends an IAR message carrying theencrypted outer portion and an unencrypted HID to a base station in aserving network.

FIG. 14 is a flowchart of an embodiment method 1400 for processing anauthentication and data request message and generating an authenticationand data response message according to a MASA protocol, as may beperformed by an HSS. At step 1410, the HSS receives an authenticationand data request message from a MME in a serving network. Theauthentication and data request message carries an encrypted outerportion.

At step 1420, the HSS decrypts the encrypted portion using an HPrK toobtain a first MAC signature and UE-specific information. TheUE-specific information includes at least an IMSI and a RAND1. At step1430, the HSS obtains a KIAR_(ENC) based on the IMSI and the RAND1. Atstep 1440, the HSS decrypts the encrypted inner portion using theKIAR_(ENC) to obtain UE specific information. At step 1450, the HSSgenerates authentication vectors (AVs) based on an EPS-AKA procedure. Atstep 1460, the HSS obtains a KIAS_(ENC) based on the IMSI and a RAND2.In some embodiments, steps 1430 and 1460 are performed in parallel suchthat the IMSI, RAND1, and RAND2 are sent from the HSS to theauthentication server in the same request message, and the KIAR_(ENC)and KIAS_(ENC) are returned from the authentication server to the HSS inthe same response message. At step 1470, the HSS sends an authenticationand data response message to the MME. The authentication and dataresponse message includes the KIAS_(INT), the KIAS_(ENC), the AVs, andUE_info.

FIG. 15 is a flowchart of an embodiment method 1500 for processing anauthentication and data response message and generating an IAS messageaccording to a MASA protocol, as may be performed by an MME. At step1510, the MME receives an authentication and data response message froman HSS that includes a KIAS_(ENC), AVs, and user specific information.The user specification information may include a UE securitycapabilities parameter, an IMSI, a RAND2, and/or a COUNTER.

At step 1520, the MME encrypts at least the user specific informationand the AVs using the KIAS_(ENC) to obtain an encrypted portion. Itshould be appreciated that the encrypted portion may include otherinformation, such as a KSI. At step 1530, the MME sends an IAS messageto a UE that includes at least the encrypted portion.

FIG. 16 is a flowchart of an embodiment method 1600 for processing anIAS message according to a MASA protocol, as may be performed by a UE.At step 1610, the UE receives an IAS message from a base station in aserving network. The IAS message includes at least an encrypted portion,a RAND2, and a first MAC signature. At step 1620, the UE computes aKIAS_(INT) and a KIAS_(ENC) based on a K-key of UE and the RAND2. Insome embodiments, step 1620 and 1310 may be performed in parallel (e.g.,by a SIM card in the UE) prior to sending an initial IAR message. Atstep 1630, the UE decrypts the encrypted portion using the KIAS_(ENC).At step 1640, the UE sends a security and authentication completemessage to the MME confirming that the network has been authenticated.

In some embodiments, the UE uses a serving network public key (SPuK) toencrypt a portion of an IAR message. FIG. 17 illustrates a protocoldiagram of an embodiment communications sequence 1700 for authenticatinga UE in a wireless network. As shown, the communications sequence 1700begins when the MME 220 communicates an identity request 1710 to the UE215. Next, the UE 215 encrypts a first copy of an IMSI using aKIAR_(ENC) to form an encrypted inner portion, and encrypts a secondcopy of the IMSI and the encrypted inner portion using a SPuK to form anencrypted outer portion. It should be appreciated that other UE specificinformation (e.g., a RAND1, a RAND2, a COUNTER, a UE_SEC_CAP, etc.) maybe encrypted along with the IMSI when forming the encrypted innerportion and/or the encrypted outer portion. Thereafter, the UE sends anIAR message 1720 carrying the encrypted outer portion to the MME 220. Insome embodiments, the UE 215 sends the IAR message 1720 without havingreceived the identity request 1710. The IAR message 1720 may include anunencrypted home network ID (SID). Upon receiving the IAR message 1720,the MME 220 determines a serving network private key (SPrK) based on theunencrypted SID, and decrypts the encrypted outer portion of the IARmessage using the SPrK. The MME 220 then forwards an authentication anddata request message 1730 carrying the encrypted inner portion, thesecond copy of the IMSI, and a RAND1 to the HSS 230. The authenticationand data request message 1730 may include other information in additionto the encrypted outer portion, such as MME security capabilityparameters, the SID, and a NWK Type.

Upon receiving the authentication and data request message 1730, the HSS230 may obtain the KIAR_(ENC) based on the second copy of the IMSI andthe RAND1, and decrypt the encrypted inner portion using the KIAR_(ENC)to obtain the first copy of the IMSI. The HSS 230 may then compare thefirst copy of the IMSI (carried in the encrypted inner portion of theauthentication and data request message 1730) with the second copy ofthe IMSI (carried in an unencrypted outer portion of the authenticationand data request message 1730) to verify the integrity of theauthentication information request message 1730. The HSS 230 may alsotake other steps to validate the authentication and data request message1730. For example, the HSS 230 may compare the COUNTER in the encryptedinner portion with a corresponding COUNTER maintained by the HSS 230 todetermine whether the authentication and data request 1730 is fresh(e.g., not stale). If the validation is successful, then the HSS 230 mayobtain a KIAS_(ENC) based on the IMSI and a random number (e.g., RAND1,RAND2, etc.), generate authentication vectors based on an EPS-AKAprocedure, and send an authentication and data response message 1735carrying the EPS authentication vectors and the KIAS_(ENC) to the MME220.

Subsequently, the MME 220 encrypts UE specific information using theKIAS_(ENC) to obtain an encrypted portion, which is sent to the UE 215via an IAS message 1750. The encrypted portion of the IAS message 1750may include other information in addition to the UE specificinformation, such as a temporary network identifier and a KSI associatedwith a NAS ciphering algorithm. The IAS message 1750 may further includean unencrypted version of the RAND2 . The UE 215 may decrypt theencrypted portion of the IAS messageimo using a KIAS_(ENC), and send asecurity and authentication complete message 1770 to the MME 220.

FIG. 18 illustrates frame formats for an embodiment IAR message 1820, anembodiment authentication and data request message 1830, an embodimentauthentication and data response message 1835, and an embodiment IASmessage 1850.

The embodiment IAR message 1820 corresponds to the IAR message 1780 sentfrom the UE 215 to the MME 220. In this example, the embodiment IARmessage 1820 includes an encrypted inner portion 1822, an encryptedouter portion 1824, and an SID. The encrypted inner portion 1822 isformed by encrypting a UE_SEC_CAP, a first copy of an IMSI, a first copyof a RAND1, a first copy of a RAND2, and a first copy of a COUNTER usinga KIAR_(ENC). The encrypted outer portion 1824 is generated byencrypting the encrypted inner portion 1822 along with a second copy ofthe IMSI, a second copy of the RAND1, a second copy of the RAND2, and asecond copy of the COUNTER using a SPuK. It should be appreciated thatadditional information may be included in the encrypted inner portion1822 and/or the encrypted outer portion 1824. In one embodiment, a MACsignature generated by computing a hash of the encrypted outer portion1824 using a KIAR_(INT) is also included in the IAR message 1820.

The embodiment authentication and data request message 1830 correspondsto the authentication and data request message 1730 sent from the MME220 to the HSS 230. As shown, the embodiment authentication and datarequest message 1830 the encrypted inner portion 1822 from the IARmessage 1820, as well as unencrypted information 1834. The unencryptedinformation 1834 includes the second copy of the IMSI, the second copyof the RAND1, the second copy of the RAND2, and the second copy of theCOUNTER, which were obtained from decrypting the encrypted outer portion1824 of the IAR message 1820 using the SPrK.

The embodiment authentication and data response message 1835 correspondsto the authentication and data response message 1735 sent from the HSS230 to the MME 220. As shown, the authentication and data responsemessage 1835 includes a KIAS_(ENC), a KIAS_(INT), the first copy of theCOUNTER, the first copy of the RAND2, the first copy of the IMSI, andAV(s). The first copy of the RAND2 and/or the COUNTER in theauthentication and data response message 1835 may provide replayprotection. In this example the authentication and data response message1835 includes both the RAND2 and the COUNTER. In another example, theauthentication and data response message 1835 includes the RAND2 butexcludes the COUNTER.

The embodiment JAS message 1850 corresponds to the JAS message 1750 sentfrom the MME 220 to the UE 215. As shown, the JAS message 1850 includesan encrypted portion 1852 and the RAND2. The encrypted portion 1852 isformed by encrypting a KSI, the AVs, and the COUNTER using theKIAS_(ENC). In some examples, the embodiment JAS message 1850 includes aMAC signature that is generated by computing a hash of the encryptedportion 1852 using the KIAS_(INT).

Embodiments of this disclosure provide methods for performing MASAprotocols. FIG. 19 is a flowchart of an embodiment method 1900 forgenerating an IAR message according to a MASA protocol, as may beperformed by a UE. At step 1910, the UE generates a KIAR_(ENC) based ona pre-provisioned key (K key) and a RAND1. At step 1920, the UE encryptsUE specific information using the KIAR_(ENC) to form an encrypted innerportion. At step 1930, the UE encrypts at least the encrypted innerportion, a RAND1, and an IMSI using a SPuK to form an encrypted outerportion. At step 1940, the UE sends an TAR message carrying theencrypted outer portion and an unencrypted SID to a base station in aserving network.

FIG. 20 is a flowchart of an embodiment method 2000 for processing anIAR message and generating an authentication and data request messageaccording to a MASA protocol, as may be performed by an MME. At step2010, the MME receives an IAR message carrying an encrypted outerportion and an SID. At step 2020, the MME decrypts the encrypted outerportion using a SPrK associated with the SID to obtain at least anencrypted inner portion, a RAND1, and an IMSI. At step 2030, the MMEsends an authentication and data request message carrying the encryptedinner portion, the RAND1, and the IMSI to an HSS.

FIG. 21 is a flowchart of an embodiment method 2100 for processing anauthentication and data request message and generating an authenticationand data response message according to a MASA protocol, as may beperformed by an HSS. At step 2110, the HSS receives an authenticationand data request message from a MME in a serving network. Theauthentication and data request message carries an encrypted innerportion, a second copy of a RAND1, and a second copy of an IMSI. In someembodiments, the authentication and data request message includes asecond copy of a RAND2 and/or a second copy of COUNTER.

At step 2120, the HSS obtains a KIAR_(ENC) based on the second copy ofthe IMSI and the second copy of the RAND1. At step 2130, the HSSdecrypts the encrypted inner portion using the KIAR_(ENC) to obtain atleast a first copy of the IMSI, a first copy of the RAND1, and a RAND2.In some embodiments, the HSS compares the first copy of the IMSI, RAND1,RAND2, and/or COUNTER with the second copy of the IMSI, RAND1, RAND2,and/or COUNTER (respectively) to verify the integrity of theauthentication and data request message.

At step 2140, the HSS generates authentication vectors (AVs) based on anEPS-AKA procedure. At step 2150, the HSS obtains a KIAS_(ENC) based onthe IMSI and a RAND2. In some embodiments, steps 2120 and 2150 areperformed in parallel such that the second copy of the IMSI, the secondcopy of the RAND1, and the second copy of the RAND2 are sent from theHSS to the authentication server in the same request message, and theKIAR_(ENC) and KIAS_(ENC) are returned from the authentication server tothe HSS in the same response message. At step 2160, the HSS sends anauthentication and data response message to the MME. The authenticationand data response message includes the KIAS_(ENC) the AVs.

In some examples, the UE 215 generates the RAND2, and includes the RAND2in the IAR message. The RAND2 is then used by the HSS 230 toindependently generate the KIAS_(ENC) and/or the KIAS_(INT). In otherexamples, the HSS 230 independently generates the RAND2, and sends theRAND2 to the authentication server. The authentication server thengenerates the KIAS_(INT) and/or the KIAR_(ENC) based on the RAND2, thek-key, and (in some cases) a COUNTER, and returns the KIAS_(INT) and/orthe KIAS_(ENC) to the HSS 230. The HSS 230 then forwards the KIAS_(INT)and/or the KIAS_(ENC) to the MME 220, which may use the the KIAS_(ENC)and/or the KIAS_(INT) to generate the IAS message. In such an example,the RAND2 and the COUNTER may be sent to the UE 214 via the IAS message,and the UE may use RAND2, the k-key, and the COUNTER to independentlycompute the KIAS_(ENC) and/or the KIAS_(INT). In an embodiment, aCOUNTER is required to be included in an IAS message for purposes ofreplay protection when the RAND2 is independently generated by the HSS230.

When a COUNTER is included in an authentication and data requestmessage, the HSS may compare the COUNTER with an independent COUNTERmaintained by the HSS to ensure that the COUNTER in the authenticationand data request message exceeds the independent COUNTER maintained bythe HSS. This may confirm that information in the authentication anddata request message is fresh, as well as provide replay protection.Likewise, when a COUNTER is included in an IAS message, the UE maycompare the COUNTER with an independent COUNTER maintained by the UE toensure that the COUNTER in the IAS message exceeds the independentCOUNTER maintained by the HSS. This may confirm that information withinthe IAS message is fresh, as well as provide replay protection.

It should be appreciated that encrypting an IMSI in an IAR message (aswell as other messages) using, for example, a KIAR_(ENC), a SNPuK,and/or a HNPuK serves to at least partially conceal the IMSI frommalicious third parties.

It should be appreciated that a MAC signature may used to provideintegrity protection for the contents of any message described herein.

FIG. 22 illustrates a frame formats for an embodiment IAR message 2220.The embodiment IAR message 2220 includes an encrypted inner portion2222, an outer portion 2224, and a MAC signature 2226. The encryptedinner portion 2222 is formed by encrypting an IMSI and a COUNTER usingan HPuK. The outer portion 2224 includes the encrypted inner portion2222, a UE_SEC_CAP, a RAND1, and an HID. The MAC 2226 is generated bycomputing a hash of the outer portion 2224 using a KIAR_(INT).

FIG. 23 illustrates a block diagram of an embodiment processing system2300 for performing methods described herein, which may be installed ina host device. As shown, the processing system 2300 includes a processor2304, a memory 2306, and interfaces 2310-2314, which may (or may not) bearranged as shown in FIG. 23. The processor 2304 may be any component orcollection of components adapted to perform computations and/or otherprocessing related tasks, and the memory 2306 may be any component orcollection of components adapted to store programming and/orinstructions for execution by the processor 2304. In an embodiment, thememory 2306 includes a non-transitory computer readable medium. Theinterfaces 2310, 2312, 2314 may be any component or collection ofcomponents that allow the processing system 2300 to communicate withother devices/components and/or a user. For example, one or more of theinterfaces 2310, 2312, 2314 may be adapted to communicate data, control,or management messages from the processor 2304 to applications installedon the host device and/or a remote device. As another example, one ormore of the interfaces 2310, 2312, 2314 may be adapted to allow a useror user device (e.g., personal computer (PC), etc.) tointeract/communicate with the processing system 2300. The processingsystem 2300 may include additional components not depicted in FIG. 23,such as long term storage (e.g., non-volatile memory, etc.).

In some embodiments, the processing system 2300 is included in a networkdevice that is accessing, or part otherwise of, a telecommunicationsnetwork. In one example, the processing system 2300 is in a network-sidedevice in a wireless or wireline telecommunications network, such as abase station, a relay station, a scheduler, a controller, a gateway, arouter, an applications server, or any other device in thetelecommunications network. In other embodiments, the processing system2300 is in a user-side device accessing a wireless or wirelinetelecommunications network, such as a mobile station, a user equipment(UE), a personal computer (PC), a tablet, a wearable communicationsdevice (e.g., a smartwatch, etc.), or any other device adapted to accessa telecommunications network.

In some embodiments, one or more of the interfaces 2310, 2312, 2314connects the processing system 2300 to a transceiver adapted to transmitand receive signaling over the telecommunications network. FIG. 24illustrates a block diagram of a transceiver 242400 adapted to transmitand receive signaling over a telecommunications network. The transceiver2400 may be installed in a host device. As shown, the transceiver 2400comprises a network-side interface 2402, a coupler 2404, a transmitter2406, a receiver 2408, a signal processor 2410, and a device-sideinterface 2412. The network-side interface 2402 may include anycomponent or collection of components adapted to transmit or receivesignaling over a wireless or wireline telecommunications network. Thecoupler 2404 may include any component or collection of componentsadapted to facilitate bi-directional communication over the network-sideinterface 2402. The transmitter 2406 may include any component orcollection of components (e.g., up-converter, power amplifier, etc.)adapted to convert a baseband signal into a modulated carrier signalsuitable for transmission over the network-side interface 2402. Thereceiver 2408 may include any component or collection of components(e.g., down-converter, low noise amplifier, etc.) adapted to convert acarrier signal received over the network-side interface 2402 into abaseband signal. The signal processor 2410 may include any component orcollection of components adapted to convert a baseband signal into adata signal suitable for communication over the device-side interface(s)2412, or vice-versa. The device-side interface(s) 2412 may include anycomponent or collection of components adapted to communicatedata-signals between the signal processor 2410 and components within thehost device (e.g., the processing system 2300, local area network (LAN)ports, etc.).

The transceiver 2400 may transmit and receive signaling over any type ofcommunications medium. In some embodiments, the transceiver 2400transmits and receives signaling over a wireless medium. For example,the transceiver 2400 may be a wireless transceiver adapted tocommunicate in accordance with a wireless telecommunications protocol,such as a cellular protocol (e.g., long-term evolution (LTE), etc.), awireless local area network (WLAN) protocol (e.g., Wi-Fi, etc.), or anyother type of wireless protocol (e.g., Bluetooth, near fieldcommunication (NFC), etc.). In such embodiments, the network-sideinterface 2402 comprises one or more antenna/radiating elements. Forexample, the network-side interface 2402 may include a single antenna,multiple separate antennas, or a multi-antenna array configured formulti-layer communication, e.g., single input multiple output (SIMO),multiple input single output (MISO), multiple input multiple output(MIMO), etc. In other embodiments, the transceiver 2400 transmits andreceives signaling over a wireline medium, e.g., twisted-pair cable,coaxial cable, optical fiber, etc. Specific processing systems and/ortransceivers may utilize all of the components shown, or only a subsetof the components, and levels of integration may vary from device todevice.

Although the description has been described in detail, it should beunderstood that various changes, substitutions and alterations can bemade without departing from the spirit and scope of this disclosure asdefined by the appended claims. Moreover, the scope of the disclosure isnot intended to be limited to the particular embodiments describedherein, as one of ordinary skill in the art will readily appreciate fromthis disclosure that processes, machines, manufacture, compositions ofmatter, means, methods, or steps, presently existing or later to bedeveloped, may perform substantially the same function or achievesubstantially the same result as the corresponding embodiments describedherein. Accordingly, the appended claims are intended to include withintheir scope such processes, machines, manufacture, compositions ofmatter, means, methods, or steps.

What is claimed is:
 1. A method for secure authentication, the methodcomprising: generating, by a user equipment (UE), a first integrity keybased at least on a pre-provisioned key (K key) of the UE and a firstrandom number (RAND1); generating a message authentication code (MAC)signature by computing a hash function of UE specific information usingthe first integrity key, the UE specific information including at leastan International Mobile Subscriber Identity (IMSI) of the UE and theRAND1 ; encrypting the UE specific information and the MAC signatureusing a public key to form an encrypted portion; and sending an initialauthentication request (IAR) message to a base station in a servingnetwork, the IAR message carrying the encrypted portion and anunencrypted network identifier.